It is well known that USB drives can be dangerous. Companies run strict screening policies and it has long been known that running unknown ‘exe’ files is a bad idea. But what if the threat was undetectable, unfixable and could be planted into any USB device be it a USB drive, keyboard, mouse, web camera, printer, even smartphone or tablet? Well this nightmare scenario just became reality.
The findings will be laid out in a presentation next week from security researchers Karsten Nohl and Jakob Lell who claim the security of USB devices is fundamentally broken . More to the point they said it has always been fundamentally broken, but the holes have only just been discovered.
BadUSB
To demonstrate this the researchers created malware called ‘BadUSB’. It can be installed on any USB device and take complete control over any PC to which it connects. This includes downloading and uploading files, tracking web history, adding infected software into installations and even controlling the keyboard so it can type commands.
“It can do whatever you can do with a keyboard, which is basically everything a computer does,” explains Nohl in an interview with Wired.
Moreover BadUSB can send code both ways, aka from the USB device to the PC and from the PC to the USB device. Previously any malicious code on a USB drive could only travel one way. And it gets worse.
Unfixable and Undetectable
“These problems can’t be patched,” says Nohl. “We’re exploiting the very way that USB is designed… You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean’ but the cleaning process doesn’t even touch the files we’re talking about.”
The reason for this is the exploit changes the firmware (instruction set) on USB devices rather than simply being a file stored on the main memory which could be accessed and deleted. In short: the exploit isn’t stored inside the USB device like a Trojan horse, it has reprogrammed the device itself. Since USB devices all share similar firmware the trick can be repeated on anything designed to be plugged into a USB port.
Even now the exploit is known addressing it is nearly impossible. ‘Code signing’ is a common countermeasure for stopping the unauthorised modification of firmware, but it isn’t part of the USB standard and even if it were there is no ‘clean’ USB firmware reference code to compare modifications against.
The exploit is already being tied to ‘Cottonmouth’, a USB spy device revealed last year in the leaks of Edward Snowden. The NSA hid Cottonmouth in peripheral plugs that were then connected to key computers. The exact operation of Cottonmouth was never revealed but Matt Blaze, computer science professor at the University of Pennsylvania, told Wired “I wouldn’t be surprised if some of the things [Nohl and Lell] discovered are what we heard about in the NSA catalogue.”
Nohl takes this a step further. He argues USB devices should be treated as if they are hypodermic needles . “In this new way of thinking, you can’t trust a USB just because its storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it. You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer. And that’s incompatible with how we use USB devices right now.”
Speaking to me Michael Sutton, VP of security research at Zscaler, agrees with the severity of Nohl’s warning. “Presently the only viable defence is to avoid using untrusted USB peripherals and those that have been outside of your control,” he explained.
While awareness will be the first step in addressing the security black hole now attributable to all USB devices, pressure will also mount quickly on the USB Implementers Forum and the major USB device manufacturers to come up with a permanent solution. Until then paranoia with build.
As Nohl concludes: “Nobody can trust anybody.”
Facebook
Twitter